Hello,
I would like to report an issue related to the packet size in the rmr library (ric-plt-lib-rmr).
When processing received packets, the library decodes the first 4 bytes as the packet size.
However, if the decoding result is a negative value, it leads to a subsequent core dump during the memcpy operation.
Through xApp, we can send packets of this nature to services that utilize this RMR library, leading to the disruption of the services.
This problem can be found in components that utilize the RMR library. For example, in the e2term, when receiving a packet with a decoded negative packet size on port 4561, it triggers this crash.
I have attached images of the packets that led to the crash and the decoded packets.
- relates to
-
RIC-991 CVE-2023-40997 RMR: Crashes caused by improperly formatted packets
- Done